AWS dms medium security documentation change
Summary
Added detailed step-by-step instructions for configuring IAM authentication for Amazon RDS endpoints, including IAM role creation with specific policies and trust relationships
Security assessment
The change documents IAM authentication configuration which is a security feature controlling database access. It explicitly shows how to create minimal privilege policies (rds-db:connect) and service trust relationships, directly impacting access control security.
Diff
diff --git a/dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md b/dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md index da9ac0f60..93e9be8fa 100644 --- a//dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md +++ b//dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md @@ -17 +17,48 @@ When creating an endpoint you can configure IAM authentication for your Amazon R -### AWS CLI + 1. Ensure the Amazon RDS and the database user has IAM authentication enabled. For more information, see [Enabling and disabling IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) in the _Amazon Relational Database Service user guide_. + + 2. Navigate to the IAM Console, create an IAM role with the below policies: + +Policy + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "rds-db:connect" + ], + "Resource": [ + "arn:aws:rds-db:<region>:<account-id>:dbuser:<db-identifier>/<username>" + ] + } + ] + } + +Trust policy: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": [ + "dms.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + } + + 3. During the endpoint configuration in the [[AWS DMS console]()](https://console.aws.amazon.com/dms/v2), navigate to the **Access to endpoint database** section and select **IAM authentication**. + + 4. In the **IAM role for RDS database authentication** dropdown menu, select the IAM role with appropriate permissions to access the database. + +For more information, see [Creating source and target endpoints](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Endpoints.Creating.html). + + +